Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

‘Operation Parliament’ Imitates Another Actor to Stay Undetected

A series of geopolitically motivated attacks ongoing since early 2017 and targeting high profile organizations worldwide appear to be a symptom of escalating tensions in the Middle East region, Kaspersky Labs reveals.

A series of geopolitically motivated attacks ongoing since early 2017 and targeting high profile organizations worldwide appear to be a symptom of escalating tensions in the Middle East region, Kaspersky Labs reveals.

Utilizing unknown malware, the actor remained under the radar by imitating another attack group in the region, which also made attribution difficult, especially given recent examples of false flags being planted to send investigators down the wrong tracks.

While the initial attacks look as the work of the unsophisticated Gaza Cybergang (decoys, file names), deeper analysis revealed a different picture, Kaspersky says.

The attacks, which Kaspersky refers to as Operation Parliament, were clearly centered on espionage, hitting top legislative, executive and judicial bodies. Since early 2017, the attackers targeted numerous organizations worldwide, but focused mainly on the Middle East and North Africa (MENA) region, especially Palestine.

Supposedly connected to incidents Cisco Talos detailed earlier this year, the assaults targeted high-profile entities such as parliaments, senates, top state offices and officials, political science scholars, military and intelligence agencies, ministries, media outlets, research centers, election commissions, Olympic organizations, large trading companies, and other unknown entities.

Kaspersky believes the attacks are the work of “a previously unknown geopolitically motivated threat actor” doing “just enough to achieve their goals.” The attackers supposedly have access to additional tools when needed and also use “an elaborate database of contacts in sensitive organizations and personnel worldwide, especially of vulnerable and non-trained staff.”

Compromised systems range from “personal desktop or laptop systems to large servers with domain controller roles or similar.” They belong to ministries responsible for telecommunications, health, energy, justice, finance, and other areas.

Advertisement. Scroll to continue reading.

Victims were located in the Palestinian Territories, Egypt, Jordan, the UAE, Saudi Arabia, Djibouti, Qatar, Lebanon, Chile, Somalia, Iraq, Morocco, Syria, India, Iran, Canada, the USA, the UK, Germany, Israel, Afghanistan, Serbia, Russia, Oman, Kuwait, South Korea and Denmark.

The attackers have carefully verified victim devices before infecting them and also safeguarded their command and control (C&C) servers. The attacks slowed down since the beginning of this year, likely “winding down when the desired data or access was obtained,” Kaspersky notes.

“The targeting of specific victims is unlike previously seen behavior in regional campaigns by Gaza Cybergang or Desert Falcons and points to an elaborate information-gathering exercise that was carried out before the attacks (physical and/or digital),” the researchers point out.

Packed with VMProtect, the employed malware didn’t reveal similarities with previously known malicious programs. Encryption and obfuscation were applied to all strings and settings, while communication with the C&C server was achieved via HTTP.

Data sent to the C&C is encrypted and the malware uses different keys for local and network encryption. The malware initiates communications by sending basic information about the infected machine and the server responds with the encrypted serialized configuration.

The malware provides a remote CMD/PowerShell terminal for the attackers, which allows them to execute scripts and commands on the compromised machines, and to receive the results via HTTP requests.

Kaspersky would not provide full details on the attacks and the used malware, but points out that high-profile organizations should have advanced protections in place, given that attacks against them “are inevitable and are unlikely to ever cease.”

“These organizations need to pay particular attention to their security, implementing additional measures to ensure they are well protected. Anti-targeted attack solutions, threat intelligence capabilities and data flows, default-deny application lockdown, endpoint detection and response, data leak and insider threat prevention, and even isolated/air-gapped networks should form the basis of any strategy for protecting organizations in the current threat landscape,” Kaspersky concludes.

Related: Actor Targeting Middle East Shows Excellent OPSEC

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Cyberwarfare

The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...